malwarewikiaorg-20200223-history
Paradise
Paradise is a ransomware that runs on Microsoft Windows. It is part of a Ransomware as a Service (RaaS) platform. It is similar to Dharma. It is aimed at English-speaking users. It's name is based off of Burnout Paradise. Payload Transmission Paradise is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection Once executed, though, Paradise will relaunch itself in order to gain administrative privileges and then generate a unique RSA-1024 key. This key is then used to encrypt all of the files on each drive on the computer. When encrypting a file it will append the string id-affiliate_id.affiliate_email.paradise to the file name. For example, a file named test.jpg would be encrypted test.jpgid-3VwVCmhU.info@decrypt.ws.paradise. As Paradise uses RSA encryption to encrypt a file, the encryption process is very slow, which hopefully allows a victim time to detect the encryption taking place and stop it. When the ransomware has finished encrypting a computer, it will drop ransom notes named #DECRYPT MY FILES#.txt in folders that a file was encrypted. This ransom note will contain the affiliates email address and instructions on how to make the payment. Paradise will then extract a base64 encoded wallpaper image and save it to the %Temp% folder as desk.bmp. The ransomware will then set an image stating that all their files are encrypted as a victim's desktop background. Finally, the ransomware will write the RSA encryption key that was used to encrypt a victim's files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable. This allows the developers to extract a victim's unique RSA key after they have paid a ransom. The ransom note says the following: HAPPENED Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: info@decrypt.ws You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. DECRYPTION AS GUARANTEE Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb TO OBTAIN BITCOINS The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins ATTENTION Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Removal A decryptor for the Paradise Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. Not all variants of the Paradise Ransomware are supported. The confirmed extensions that can be decrypted are listed below: .2ksys19 .p3rf0rm4 .prt .exploit .immortal .Recognizer .sambo .paradise (e.g. _V.0.0.1{help@badfail.info}.paradise) .FC (e.g. _Support_{}.FC) .sev (e.g. _Kim Chin Im_{}.sev) Variants * Sell: It is a variant that was discovered on March 2018. This variant appends the id-.support@all-ransomware.info.sell file extension. * Ransom & Logger: These are variants that was also discovered on March 2018. These versions still use the same unbreakable encryption method. Following the encryption, it also delivers a ransom note called #DECRYPT MY FILES# .html. Crooks ask to pay the ransom in Bitcoins: WHAT HAPPENED! Your important files produced on this computer have been encrypted due a security problem. If you want to restore them, write to us by email. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. FREE DECRYPTION AS GUARANTEE! Before payment you can send us 1-3 files for free decryption.Please note that files must NOT contain valuable information. The file size should not exceed 1MB. As evidence, we can decrypt one file. * Prt: It is a variant that was discovered on June 2018. Soon after the encryption, it also delivers a ransom note in PARADISE_README_paradise@all-ransomware.info.txt which gives the following information: To decrypt your files contact us by email — paradise@all-ransomware.info and paradise@all- ransomware.info Your user id: redacted with respect Ransomware Paradise Team * VACv2 & Corp: They are variants that were discovered by Michael Gillespie. VACv2 was discovered on Christmas 2018 and Corp was discovered on January 2019. No new features added to the mix with these versions, except the different file extensions. * XYZ: It is a variant that was discovered by MalwareHunterTeam. XYZ appends the .xyz extensionto all encrypted files. As other of its kind, this dangerous cyber threat is also using unique encryption algorithms to lock documents on the targeted computer. After secret encryption, Xyz provides a message that is named “Instructions with your files.txt”. The note announces about the stealth invasion and provides admin@prt-decrypt.xyz or admin@prt-decrypt.xyz email addresses as ways to make contact with the cybercriminals and discuss all terms related to the ransom price and decryption tool. The ransom message claims: All your files have been encrypted contact us via the e-mail listed below. e-mail: admin@prt-decrypt.xyz or e-mail: admin@prt-decrypt.xyz Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Virus Category:Win32 virus